NEWS FROM THE LAB - Tuesday, August 3, 2010

JailbreakMe 2.0 Uses PDF Exploit Posted by Sean @ 10:33 GMT

Edited to add: Due to a communication error between our labs, we incorrectly stated that the exploit PDF files, mentioned below, crash Adobe Reader. This is not the case. Our apologies for the error.

The iOS drive-by jailbreak available at jailbreakme.com (see yesterday's post) utilizes a PDF exploit. The PDF files, 20 of them, for various combinations of hardware/firmware, are located in a subdirectory off the root of the website.

JailbreakMe 2.0 PDF Directory

Here's a snapshot of the code.

JailbreakMe 2.0 PDF Code

Charlie Miller had this to say via Twitter:

"Starting to get a handle on jailbreakme.com exploit. Very beautiful work. Scary how it totally defeats apple's security architecture."

In our testing, the PDF files crash both Adobe Reader and Foxit on Windows. We detect them as variants of Exploit:W32/Pidief. While these files are not being used maliciously, an exploit is an exploit, and we'll add detections for them.

Do note that by default, there's no separate PDF viewer on an iPhone. Instead, PDF viewing is built into the Safari browser. The attack uses a corrupted font placed inside the PDF file to crash the Compact Font Format (CFF) handler.

(There have been 4 previously patched iOS CoreGraphics/PDF related vulnerabilities.)

VirusTotal Report, Exploit:W32/Pidief

You can find SHA1 and other information from VirusTotal.

On an amusing endnote, while jailbreaking an iPhone is now legal, it's not very nice to do so at the Apple Store.

Updated to add: Foxit Reader 4.1, released on August 3rd, fixes a "crash issue when opening certain PDFs."

JailbreakMe is exploiting two vulnerabilities in iOS, the PDF support flaw allows for the execution of code, and another vulnerability in the kernel allows for an escalation of privileges to escape from the sandbox. VUPEN Security has a detailed vulnerability report.